Anti-Trojan Jammer Foils BO, NetBus And More
In March of 1999, the developers of a new security application called Jammer contacted me and offered a copy of their product for testing. I have now put this clever tool to lengthy tests with excellent results, and even conspired a bit with its creators to extend and improve it through a number of version changes. Jammer is now (17 Aug 99) available in version 1.95.
Jammer Really Jams
Jammer is a whole new approach to trojan protection. Other excellent tools exist which can spot the scans of trojan users and may assist in identifying the culprits; NOBO is one good example which is specific to Back Orifice (BO). Another is NukeNabber, which listens for a variety of trojans and can be configured.
Such tools are not quite rendered obsolete by Jammer. NOBO remains useful to set a trap for intruders, and NukeNabber still detects some forms of attack Jammer doesn't inspect. But Jammer goes far beyond the port-listening capability of these countermeasures -- to the point that if put into sufficiently broad use, it has the potential to virtually render Back Orifice 1.20 unusable to the majority of would-be attackers on a Net-wide scale. And to strongly impact the use of many other trojans as well.
How Can This Be?
|Think of it
this way: If you had a house with 65,536 doors, valuables
inside, and only one door with a lock, your neighbors
would think you insane. Well, that's the situation with
most of the port-monitoring anti-trojan applications.
Even 200 monitored ports aren't enough, and that's the
most any port-monitoring application can do under
BO itself, as well as NOBO, your browser, etc., all depend upon Winsock, and therefore send and receive on a single port, or on a very limited number of ports; and will never receive or recognize a packet intended for any other port. NOBO can, to its credit, be set up on any port and password. But it is blind to all other port/password combinations.
Jammer effectively bypasses the Winsock mechanism in the manner of a true firewall. It examines incoming packets regardless of the destination port. Because Back Orifice packets are encrypted, and can use any number of passwords, the Jammer goes a step further. It decrypts the packets, with surprising speed. If desired, it then responds to the intruder with a warning, using the necessary password so the BO user's client program will correctly decode and read the response.
BO client users find themselves exposed every time they contact your machine regardless of port or password.
|Data transfers on the Net are always in the form
of packets -- relatively small packages
of data. These packets each carry an IP address
and port number for their source and
The port number is the mechanism which allows multiple applications to use the same network connection simultaneously. Any application, such as your browser (or Back Orifice for instance), which is using the network link, has one or more port numbers assigned to its exclusive use. The port number is assigned two bytes (16 bits) in each packet. There are therefore 65,536 (216) possible port numbers.
The Windows network software (Winsock) which manages network data exchange receives these packets, checks the port number in each, and passes them to the appropriate application.
Jammer Sees All
NetBus in its latest versions (2.x) uses a similar encryption scheme to that of BO; configurable ports and encrypted packets. The Jammer also identifies and decrypts these contacts.
Ironically, both BO and NetBus make their transmissions positively identifiable by the very fact of the encryption that was intended to obscure them!
Jammer's packet detection is not limited to BO and NetBus but is quite generic. It spots virtually all packets with destination ports which have no listening application on the host. Thereby, it sees and alerts on port scans, trojan-hunting "pings," contacts of almost every kind. Its only omission at present is ICMP attacks (nukes); which Windows networking updates and Win98 have solved for the most part anyway.
If you choose, Jammer will reply to the trojan user with a scary announcement. It's the last thing he wants to see: he's been SPOTTED. And decrypted. And logged. More than likely, he will immediately begin avoiding your IP neighborhood.
If that's not enough, Jammer makes it possible to get some of those trojan users into well-deserved trouble. Every suspicious contact is logged with source IP address, the source and destination port number, the type of contact, and the time. This is all the information the user's ISP needs if they are to act on a complaint.
Jammer does resolve the source address to its name, and often that is sufficient to correctly direct a complaint email. Jammer even provides a quick-and-dirty email application so you can send the latest log entries to a service provider. Usually support@[domain] or abuse@[domain] will do the trick. But sometimes Jammer's address lookups will fail or the information they yield will be insufficient. For improved info-gathering on any address Jammer spots, I recommend downloading and using my free Network Tracer. This batchfile utility will put together a quick dossier on any given address, sometimes even enough to identify the user directly; and certainly enough to find an interested ear for a complaint.
When Jammer identifies a packet as a BO or NetBus transmission, and sees that it has been accepted by an application on the host machine, it alerts on the presence of the trojan and will attempt to remove it.
Thus Jammer is nearly a comprehensive protection against BO and NetBus 2.x.
However, it is advisable to find and remove any trojan before it is contacted by an intruder. BODetect solves this, and paired with Jammer constitutes near-total protection against BO and NetBus users.
On the whole, the user interface is uncomplicated and easy to use.
Here's a screen shot of the Jammer console with its Options dialog open:
And the warning message as seen by the would-be intruder looks like this:
Can It Be Circumvented?
It remains to be seen whether BO-loving black hats will find a way to deal with the Jammer. Its documentation states that the registered version would be very difficult to overwhelm with a flood of packets, which is so far as I know, the one and only likely method of attack. Jammer's mode of operation is essentially that of a specialized firewall. It seems unlikely to me that Jammer will serve to create any new vulnerabilities not already inherent in the user's machine.
The Jammer sends its warning message to the client user by default, and offers no options to change or turn off this response.
Also, the Jammer does not report the password it has found. Lack of this password, along with the fact the attacker has been warned off, means the user is denied what could be an excellent opportunity to set a trap for his intruder with the BO Spoofer. (Imitating the BO server, the Spoofer allows observation of the intruder's activities and can provide clear evidence of his intent.)
The Jammer could be readily improved in these respects, and probably will. Other features I'd like to see are:
Especially if #4 above is done, the Jammer has enormous potential as a defensive tool for Netizens everywhere. At present, BO and NetBus appear to be involved in the vast majority of trojan intrusions; but there is a clear trend towards increasing numbers and increasing diversity in trojans of this type, with no end in sight.
But widespread use of a consistently-expanded and constantly-improved Jammer could put a major damper on this assault on the Net in all its forms.
I'm unable to find mention in the Jammer's documentation of its system requirements, nor of its functionality under NT. But I see in its program files some indications that it is intended to run on NT machines.
It installed smoothly for me in two Pentium-class Win95 machines, and worked as advertised without crashes for many hours. According to Wintop, it consistently demands a bit more than 1/2 of 1% of CPU time on a Pentium 166.
The Jammer requires WS2_32.DLL, a component of Windows Sockets 2. Users of older versions of Windows 95 may find they need to install Microsoft's free Winsock 2 Update. (For security reasons, I would also recommend to those same users that they install Microsoft's Dial-Up Networking Update; and for system performance purposes, I recommend the Kernel32 Update, which fixes a Net-related memory problem in older Win95 systems.)